ID. Date of interview 
date 40/92/20 


ID. Time interview started 
start 99:47:15 


ID.end Completion date of interview 
Date = 40/02/20 


ID.end Time interview ended 
09:49:14 


ID. Duration of interview 
time 4.98 


new Case 


ICO consultation on the draft right of access 
guidance 


Q1 


Does the draft guidance cover the relevant issues about the right of access? 
O) Yes 

© No 

©) Unsure / don't know 

If no or unsure/don’t know, what other issues would you like to be covered in it? 


It would be useful to clarify whether this guidance is solely for the right of access or also for the right to 
data portability. At various points the guidance refers to Article 20 in conjunction with Article 15. Will you 
be providing separate guidance for Article 20 in the future? If so perhaps you could reference this in this 
guidance, e.g. on p32 where you discuss Art 20 requests. Similarly on p14 you discuss FOI requests but 
it might also be useful to mention other data protection requests in this same section (i.e., a section on 
"What should we do if a request mentions other data protection rights?" 


Q2 


Does the draft guidance contain the right level of detail? 
O) Yes 
© No 
©) Unsure / don't know 


If no or unsure/don't know, in what areas should there be more detail within the draft 
guidance? 


p19/20 - we believe that the section on asking for ID could do with more detail. In our study (Wong and 
Henderson, The right to data portability in practice: Exploring the implications of the technologically 
neutral GDPR. International Data Privacy Law, 9(3):173-191, August 2019) we found a number of 
unwarranted requests for identification, such as requests for unredacted copies of passports where the 
data controller held no information that could be verified using a passport (e.g. an account where no real 
name was provided). There are further privacy and data protection implications if additional ID is 
requested, and it should be made clear that any such additional personal data requests are also subject 
to the GDPR and as such need to meet the data protection principles. p30 - we found this page 
somewhat hard to understand. In the first instance you suggest that electronic SARs must be fulfilled 
electronically, but that other types of SAR can be fulfilled in other forms. But later you suggest that 
transcripts or printouts are acceptable. Does this also apply to electronic SARs? In our study we found 
that some data controllers provided paper copies even for Article 20 requests, so we believe that clarity 
here is important. p67 - it might be useful to mention exam results (referencing p57) when discussing 
education data. 


Q3 


Does the draft guidance contain enough examples? 
O) Yes 
© No 
©) Unsure / don't know 


If no or unsure/don’t know, please provide any examples that think should be included in 
the draft guidance. 


p18 - it would be good to see some examples of "specialist work involved in redacting information or 
communicating it in an intelligible form". p20 - as per our answer above, it would be good to see more 
examples of identification verification requests that support the data minimisation and storage limitation 
principles. The GP example is positive, but you could perhaps point out that it would, for instance, be 
inappropriate to ask for a photo ID if the data controller does not hold a photo of the data subject. 


Q4 


We have found that data protection professionals often struggle with applying and 
defining ‘manifestly 

unfounded or excessive’ subject access requests. We would like to include a wide 

range of examples 

from a variety of sectors to help you. Please provide some examples of manifestly 
unfounded and excessive 

requests below (if applicable). 


Q5 


Q6 


Q7 


On a scale of 1-5 how useful is the draft guidance? 


3 ee: 
1-Notatall 2-—Slightly | Moderately 4-Very 5-Extremely 
useful useful useful useful useful 


Why have you given this score? 


It provides a good level of detail and some examples, although we would suggest 
providing some more. 


To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Neither agree Strongly 
disagree Disagree nor disagree Agree agree 


> © O O 


Q8 


Q9 


Please provide any further comments or suggestions you may have about the draft 
guidance. 


See comments previous - we found some areas confusing. 


Are you answering as: 

O An individual acting in a private capacity (eg someone providing their views as a member of the public) 
© An individual acting in a professional capacity 

C) On behalf of an organisation 

() Other 

Please specify the name of your organisation: 

University of St Andrews 


What sector are you from: 
Higher Education 


Q10 How did you find out about this survey? 
© ICO Twitter account 
(`) ICO Facebook account 
(_) ICO LinkedIn account 
C) ICO website 
(_) ICO newsletter 
( ) ICO staff member 
( ) Colleague 
(_) Personal/work Twitter account 
(_) Personal/work Facebook account 
(_) Personal/work LinkedIn account 
(_) Other 
If other please specify: 


